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DETAILED ACTION 

1. A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this appHcation is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 
1.17(e) has been timely paid, the finaHty of the previous Office action has been 
withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on July 16, 2007 has 

, been entered. 

2. Claims 1-29 have been examined. 

3. Claims 1-29 are pending. 

4. Amendment to the specification filed on July 16, 2007 is acknowledged. 

Claim Rejections - 35 USC §103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

6. Claims 1-5 are rejected under 35 U.S.C. 103(a) as being vmpatentable over Kavsan (US 
Pat. No.: 6,412, 069) in view of Teal et al. (hereinafter referred to as Teal, US Pub No.: 
2003/0120935). 

As per claim 1 : 

Kavsan teaches a method for protecting an operating system, comprising: 



Application/Control Number: 1 0/602, 1 96 Page 3 

Art Unit: 2137 

determining integrity data for an operating system binary, wherein the integrity data 
enables detection of a modification to the operating system binary (Colimin 2: 
lines 10-24; Column 2, lines 61-67; Column 3: lines 5-15, 20-27); and 

the kernel is operable to employ the integrity data to detect the modification to the 
operating system binary (Column 3: lines 35-52; lines 54-65). 

Kavsan does not explicitly disclose modifying a kernel with the integrity data. Teal in 
analogous art, however, disclose modifying a kernel with the integrity data (0035; 0044; 0067; 
0091; 0095; 0097). Therefore, it would have been obvious to a person having ordinary skill in 
the art at the time the invention was made to modify the system disclosed by Kavsan to include 
modifying a kernel with the integrity data. This modification would have been obvious because a 
person having ordinary skill in the art would have been motivated to do so to provide owners of 
proprietary networks of individual computer resources to have greater security protection than is 
provided by embedded security utilities, by firewall products, or by firewall products with 
automatic intrusion detection tools as suggested by Teal in (0032). 

As per claim 2: 

Teal discloses a method, wherein the integrity data further comprises, at least one of a 
digital signature, and a hash associated with the operating system binary (0044). 



As per claim 3: 
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Teal discloses a method, wherein the hash further comprises at least one a message 
digest, and a Secure Hash Algorithm (SHA) (Page 7: Paragraph 4). 

As per claim 4: 

Teal discloses a method, wherein the modifying the kernel further comprises: 
storing the integrity data in a data store (0013; 0042; 0048; 0049; 0063; 0067); and 
embedding the data store into the kernel (0013; 0042; 0048; 0049; 0063; 0067); 

As per claim 5: 

Teal discloses a method, wherein embedding the data store in the kernel further 
comprises at least one of digitally signing the data store, and encrypting the data store (0013; 
0042; 0048; 0049; 0063; 0067). 

7. Claims 6-7 are rejected under 35 U.S.C. 103(a) as being unpatentable over Kavsan (US 
Pat. No.: 6,412, 069) in view of Teal et al. (hereinafter referred to as Teal, US Pub No.: 
2003/0120935) and further in view of Pham et al. (US Pub No.: 2004/0078568). 

As per claim 6: 

Teal teaches generating an operating system image based in part on the modified kernel 
and the operating system user level binary (0094-0095). 

Kavsan and Teal do not explicitly disclose the operating system image comprises at least 
one of creating an archive file, a compressed file, and a Cabinet (CAB) file. Pham et al. in 
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analogous art, however, disclose the operating system image comprises at least one of creating 
an archive file, a compressed file, and a Cabinet (CAB) file (Figure 5B: 42; Figure 12: 388). 
Therefore, it would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to modify the system disclosed by Kavsan and Teal to include the operating 
system image comprises at least one of creating an archive file, a compressed file, and a Cabinet 
(CAB) file. This modification would have been obvious because a person having ordinary skill 
in the art would have been motivated to do so to provide an efficient mechanism for reliably 
securing persistent data in a manner eminently subject to cooperative management and control 
within a security domain as suggested by Pham et al. in (Page 2: 0012). 

As per claim 7: 

Kavsan discloses a method, wherein the operating system binary further comprises at 
least one of an OS user level binary, and the kernel (Figure 1 : Application Space; Kernel Space). 

8. Claims 8-29 are rejected under 35 U.S.C. 103(a) as being unpatentable over Eun et al. 
(WO 01/80482 Al) in view of Teal et al. (hereinafter referred to as Teal, US Pub No.: 
2003/0120935). 

As per claim 8: 

Eun et al. disclose a method for protecting an operating system, comprising; 
generating a first integrity data for an operating system binary (Page 5: lines 1 1-20; lines 
28-34; Page 6: lines 4-11); 
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receiving a request associated with the operating system binary (Page 8: lines 15-22); 
retrieving the first integrity data associated with the operating system binary (Figure 3: 
312,314 318); 

determining if the first integrity data indicates tampering of the operating system binary 

(Figure 3 : 3 1 0 308 306); and 
performing a tamper detection action if the first integrity data indicates tampering of the 

operating system binary (Figure 3: 310 308 306). 

Eun et al. do not explicitly disclose modifying an operating system kernel with the first 
integrity data. Teal in analogous art, however, disclose modifying an operating system kernel 
with the first integrity data (0035; 0044; 0067; 0091; 0095; 0097). Therefore, it would have been 
obvious to a person having ordinary skill in the art at the time the invention was made to modify 
the system disclosed by Eun et al. to include modifying an operating system kernel with the first 
integrity data. This modification would have been obvious because a person having ordinary skill 
in the art would have been motivated to do so to provide owners of proprietary networks of 
individual computer resources to have greater security protection than is provided by embedded 
security utilities, by firewall products, or by firewall products with automatic intrusion detection 
tools as suggested by Teal in (0032). 

As per claim 9: 

Eun et al. disclose a method, wherein receiving the request further comprises receiving at 
least one of a read action, an execute operation, and an install request (Figure 8: 702). 
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As per claim 10: 

Teal discloses a method, wherein performing the tamper detection action further 
comprises at least one of providing a tamper detection message, and quarantining the operating 
system binary (002 1 ; 004 1 ; 0042; 0074; 0079). 

As per claim 1 1 : 

Teal discloses a method, wherein the first integrity data further comprises at least one of a 
digital signature, and a hash associated with the operating system binary (0013; 0042; 0048; 
0049; 0063; 0067). 

As per claim 12: 

Teal discloses a method, wherein the hash further comprises at least one a message 
digest, and a Secure Hash Algorithm (SHA) (0013; 0042; 0048; 0049; 0063; 0067). 

As per claim 13: 

Teal discloses a method, wherein modifying the operating system kernel with the first 
integrity data further comprises storing the first integrity data in at least one of a database, a file, 
and a program (0013; 0042; 0048; 0049; 0063; 0067), 

As per claim 14: 
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Teal discloses a method, wherein modifying the operating system kernel further 
comprises associating the first integrity data with the operating system kernel (0013; 0042; 0048; 
0049; 0063; 0067). 

As per claim 15: 

Teal discloses a method, wherein associating the first integrity data with the operating 
system kernel further comprises digitally signing the first integrity data with a digital key 
associated with the operating system kernel (0013; 0042; 0048; 0049; 0063; 0067). 

As per claim 16: 

Eun et al. disclose a method, wherein determining if the first integrity data indicates 
tampering of the operating system binary further comprises: 

determining a second integrity data for the operating system binary (Page 2: lines 15-27; 

Abstract; Page 7: lines 15-20); 
determining if the first integrity data is substantially different fi*om the second integrity 

data (Page 6: lines 25-36); Page 7: lines 15-20); and 
indicating tampering of the operating system binary if the first integrity data is 

substantially different from the second integrity data (Page 13: lines 16-33). 



As per claim 17: 
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Eun et al. disclose a method, wherein determining if the first integrity data is substantially 
different from the second integrity data further comprises comparing the second integrity data to. 
the first integrity data (Page 2: lines 15-27; Abstract; Page 7: lines 15-20). 

As per claim 18: . 

Eun et al. disclose a method for protecting an operating system, comprising: 
receiving a request associated with an operating system binary (Page 8: lines 15-22); 
retrieving integrity data associated with the operating system binary (Figure 3: 312, 314 
318); and 

performing a tamper detection action if the integrity data indicates tampering of the 
operating system binary (Figure 3: 310 308 306). 

Eun et al. do not explicitly disclose modifying an operating system kernel. Teal in 
analogous art, however, disclose modifying an operating system kernel (0035; 0044; 0067; 0091; 
0095; 0097). Therefore, it would have been obvious to a person having ordinary skill in the art at 
the time the invention was made to modify the system disclosed by Eun et al. to include 
modifying an operating system kernel. This modification would have been obvious because a 
person having ordinary skill in the art would have been motivated to do so to provide owners of 
proprietary networks of individual computer resources to have greater security protection than is 
provided by embedded security utilities, by firewall products, or by firewall products with 
automatic intrusion detection tools as suggested by Teal in (0032). 



Application/Control Number: 10/602,196 Page 10 

Art Unit: 2137 

As per claim 19: 

Eun et al. disclose a method, wherein receiving the request further comprises receiving at 
least one of a read action, an execute operation, and an install request (Figure 8: 702). 

As per claim 20: 

Teal discloses a method, wherein performing the tamper detection action further 
comprises at least one of providing a tamper detection message, and quarantining the operating 
system binary (002 1 ; 004 1 ; 0042; 0074; 0079). 

As per claim 21: 

Eun et al. disclose a method, wherein determining if the integrity data indicates 
tampering of the operating system binary further comprises: 

determining another integrity data for the operating system binary (Page 2: lines 15-27; 
Abstract; Page 7: lines 15-20); 
. determining if the other integrity data is substantially different from the retrieved 
integrity data (Page 6: lines 25-36); Page 7: lines 15-20); and 
indicating tampering of the operating system binary if the other integrity data is 
substantially different from the retrieved integrity data (Page 13: lines 16-33). 

As per claim 22: 

Eun et al. disclose a computer-readable medium having computer-executable components 
for protecting an operating system, comprising: 
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a data store configured to receive and store a first integrity data, wherein the first integrity 
data is for an operating system binary (Figure 3: 312, 314, 316, 318); and 

receiving a request to examine an operating system binary (Page 6: Hnes 5-11; Page 7: 4- 
22); 

retrieving the first integrity data for the operating system binary (Page 8: Hnes 1 1-22); 
determining if the first integrity data indicates tampering of the operating system binary 
(Page 11: lines 15-33). 

Eun et al. do not explicitly disclose a tamper detection component, coupled to the data 
store, that is arranged to perform actions, and performing a tamper detection action if the first 
integrity data indicates tampering of the operating system binary. Teal in analogous art, however, 
disclose a tamper detection component, coupled to the data store, that is arranged to perform 
actions, and performing a tamper detection action if the first integrity data indicates tampering of 
the operating system binary (0037, 0041; 0044; 0067; 0091; 0095; 0097). Therefore, it would 
have been obvious to a person having ordinary skill in the art at the time the invention was made 
to modify the system disclosed by Eun et al. to include a tamper detection component, coupled to 
the data store, that is arranged to perform actions, and performing a tamper detection action if the 
first integrity data indicates tampering of the operating system binary.. This modification would 
have been obvious because a person having ordinary skill in the art would have been motivated 
to do so to provide owners of proprietary networks of individual computer resources to have 
greater security protection than is provided by embedded security utilities, by firewall products, 
or by firewall products with automatic intrusion detection tools as suggested by Teal in (0032). 
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As per claim 23: 

Teal discloses a computer-readable medium, wherein the computer-executable 

components are associated with an operating system kernel (0037, 0041; 0044; 0067; 0091; 
0095; 0097). 

As per claim 24: 

Teal discloses a computer-readable medium, wherein performing the tamper detection 
action further comprises at least one of providing a tamper detection message, and quarantining 
the operating system binary (0021 ; 0041 ; 0042; 0074; 0079). 

As per claim 25: 

Eun et al. disclose a computer-readable medium, wherein the first integrity data further 
comprises at least one of a digital signature, and a hash associated with the operating system 
binary (Figure 3: 304). 

As per claim 26: 

Eun et al. disclose a computer-readable medium, wherein the operating system binary 
further comprises at least one of an OS user level binary, and a kernel (Figure 2: User Level, 
Kernel Level). 

As per claim 27: 
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Pham et al. discloses a computer-readable medium, wherein determining if the first 
integrity data indicates tampering of the operating system binary further comprises: 

determining a second integrity data for the operating system binary (Figure 5B: 156); 
determining if the first integrity data is substantially different from the second integrity 

data (Figure 1 OB: 298), and 
indicating tampering of the operating system binary if the first integrity data is 

substantially different from the second integrity data (Figure 1 OB: lines 302). 

As per claim 28: 

Eun et al. a computer-readable medium, wherein the second integrity data further 
comprises at least one of a digital signature, and a hash associated with the operating system 
binary (Figure 3: 304). 

As per claim 29: 

Eun et al. disclose an apparatus for protecting an operating system, comprising: means 
for receiving a request to examine an operating system binary; 

means for retrieving a first integrity data for the operating system binary (Page 8: lines 
11-22); 

means for determining a second integrity data for the operating system binary (Page 6: 
lines 25-36); Page 7: lines 15-20); and 
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Eun et al do not explicitly disclose means for determining if the first integrity data is 
substantially different from the second integrity data, and if the first integrity data is substantially 
different from the second integrity data, a means for performing a tamper detection action. Teal 
in analogous art, however, disclose means for determining if the first integrity data is 
substantially different from the second integrity data, and if the first integrity data is substantially 
different from the second integrity data, a means for performing a tamper detection action (0037, 
0041; 0044; 0067; 0091; 0095; 0097). Therefore, it would have been obvious to a person having 
ordinary skill in the art at the time the invention was made to modify the system disclosed by 
Eun et al. to include means for determining if the first integrity data is substantially different 
from the second integrity data, and if the first integrity data is substantially different from the 
second integrity data, a means for performing a tamper detection action. This modification would 
have been obvious because a person having ordinary skill in the art would have been motivated 
to do so to provide owners of proprietary networks of individual computer resources to have 
greater security protection than is provided by embedded security utilities, by firewall products, 
or by firewall products with automatic intrusion detection tools as suggested by Teal in (0032). 

Conclusion 

9. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

See the notice of reference cited in form PTO-892 for additional prior art 
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Contact Information 

10. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Techane J. Gergiso whose telephone number is (571) 272-3784 
and fax number is 1(571 > 273^3184!. The examiner can normally be reached on 9:00am - 6:00pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Emmanuel Moise can be reached on (571) 272-3865. The fax phone number for the organization 
where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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